The two parties agreed in mid-November to settle their differences. People's United will pay PATCO for the losses the construction company suffered after a series of fraudulent wire transfers hit the company's commercial account, says Mark Patterson, co-owner of PATCO.

Originally, PATCO was seeking damages and legal fees in addition to compensation for the fraudulent losses it suffered.

But Patterson says settlement was the only recourse. "We took the court's advice," he says.

Patterson would not offer further comment about the settlement, and People's United did not respond to a request for comment.

Avivah Litan, a fraud analyst with consulting firm Gartner, says the settlement should serve as a lesson for other institutions. "An ounce of prevention is worth a pound of cure," she says. "The banks are clearly better equipped to prevent account takeover than their customers are, although certainly customers should institute whatever security measures they have access to."

Unreasonable Security Cited

In its 43-page ruling, the appellate court described the bank's security procedures as "commercially unreasonable," and said the bank should have detected and stopped the fraudulent transactions that hit PATCO's account. The ruling also claimed the former Ocean Bank increased PATCO's fraud risk by relying on what it referred to as a "one-size-fits-all" approach to monitoring and authentication of high-dollar transactions.

David Navetta, founding partner of the Information Law Group, says the PATCO case and others like it illustrate the increasing challenge banks face in the courts. "I think these cases ultimately hurt the negotiating position of banks involved in an ACH fraud situation arising out of online banking," he says.

As a result, Navetta suggests that, in many cases, banks might be better off if they simply cover the losses linked to account takeovers rather than risk losing a court battle.

The appellate ruling in the PATCO case, however, opened the door for future cases to explore the obligation commercial customers have for ensuring their own security. Pointing to Article 4A of the Uniform Commercial Code, which provides protections to commercial customers similar to those provided for consumers under Regulation E, the court suggested commercial customers have some responsibilities.

Under Article 4A, a bank typically bears the risk of loss when unauthorized funds transfers are approved. The bank may shift that risk of loss onto the customer by either proving the commercial reasonableness of its offered security procedures or by proving that it approved the fraudulent payment or transfer on good faith and in compliance with security procedures noted in its contract with the customer. But in its July ruling, the appeals court said: "Article 4A does not appear to be a one-way street. Commercial customers have obligations and responsibilities as well."

Had the parties not settled, their ongoing legal dispute likely would have involved a review of whether PATCO fulfilled its own obligations under the Uniform Commercial Code.

Litan says a simple rules-based fraud prevention system likely would have prevented Patco's account from being breached. But the larger question of customer obligations remains to be determined. "We are really no closer to knowing that then we were before," she says.

Other Fraud Cases

The PATCO case is the second high-profile dispute over an account takeover event to be settled out of court this year. In June, California-based Village View Escrow settled with its former bank, Professional Business Bank, for more than the $400,000 drained from its account in March 2010.

In May 2010, PlainsCapital Bank and Texas-based Hillary Machinery settled their legal differences over an ACH/wire fraud incident that cost Hillary Machinery more than $800,000 for an undisclosed amount. The case was the first to draw attention to account takeover risks posed by lax online security.

So far, of the incidents that have hit the headlines, only the ACH/wire fraud case between Michigan-based Experi-Metal Inc. and Comerica Bank was resolved in court. In June 2011, a district court ruled in favor of EMI and ordered Comerica to reimburse the business for the more than $560,000 drained from its account via fraudulent transactions.

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.